Is it safe to encrypt your private keys with BIP38 and bitaddress.org?

gentlemand

legendary

Activity: 2590

Merit: 3014

Welt Am Draht

Quote from: dunand on August 18, 2017, 07:35:02 AM

If you are 100% sure your computer is safe from spyware...

It makes far more sense to do it with a machine that'll never see the internet again. You can get something that'll do the job for $20. If you ever do need to access the internet again with it just give it a comprehensive wipe.

It's far more reassuring doing all your crypto stuff on something you know can't possibly leak.

Kakmakr

legendary

Activity: 3472

Merit: 1963

Leading Crypto Sports Betting & Casino Platform

You do not need the site to "decrypt" the private keys. This can be done with other sites and software, where you sweep the private key to use those bitcoins. You use that site to generate your paper wallets. < public & private key combination >

Just take note : Simply generating this offline are not a fail-safe method to protect the information that were generated. Some Malware can still log information in "offline" mode and then make that available to their "master" when the computer are online again.

I prefer to use a cheap second-hand computer that will never be used online again, to generate my paper wallets. ^smile^

achow101

staff

Activity: 3374

Merit: 6530

Just writing some code

Quote from: jal007 on August 28, 2017, 06:36:28 PM

instead of using betaadress i think you should try this https://keybase.io/warp/ they scrypt algorithm and pbkdf2 with ability to use salt key

they describe there algorithm like this.

s1    =   scrypt(key=(passphrase||0x1), salt=(salt||0x1), N=218, r=8, p=1, dkLen=32)
s2    =   pbkdf2(key=(passphrase||0x2), salt=(salt||0x2), c=216, dkLen=32, prf=HMAC_SHA256)
keypair   =   generate_bitcoin_keypair(s1 ⊕ s2)

No, don't do that. That is making a brainwallet, which is not what OP is asking. It is not encrypting private keys or using BIP 38 or doing anything of the sort that OP is asking about. Please do not post if you don't know what you are talking about.

jal007

full member

Activity: 138

Merit: 100

instead of using betaadress i think you should try this https://keybase.io/warp/ they scrypt algorithm and pbkdf2 with ability to use salt key

they describe there algorithm like this.

s1    =   scrypt(key=(passphrase||0x1), salt=(salt||0x1), N=218, r=8, p=1, dkLen=32)
s2    =   pbkdf2(key=(passphrase||0x2), salt=(salt||0x2), c=216, dkLen=32, prf=HMAC_SHA256)
keypair   =   generate_bitcoin_keypair(s1 ⊕ s2)

mpufatzis

full member

Activity: 840

Merit: 128

Use a Raspberry Pi.
Burn an SD Card with Linux, run the saved (in a memory stick) Bitaddress webpage using the RPi web browser and make as many keys as you wish.
Print the keys in a printer (you can connect it to RPi too, google for more informations) or encrypt the list in the the memory stick using pgp.
Format or destroy the SD Card and never use the memory stick in a computer.

Kaller

hero member

Activity: 752

Merit: 501

Yes you can do this safely.
First, wipe your computer first to make sure there are no viruses.
Turn turn off internet when you get to Bitaddress.
You can still generate addresses with the internet off.
Finally, print the keys and voila, you have secure keys!
Unless you have a virus no one will know them.

ranochigo

legendary

Activity: 2982

Merit: 4193

Quote from: lukaexpl on August 19, 2017, 04:52:51 AM

If the keyloggers are so prevalent and powerful aren't we at risk of having masterseed or mnemonic stolen everytime we TYPE it in any type of wallet that takes keyboard input.

Yes. That's why you have to be careful about what you download and click.

Quote from: lukaexpl on August 19, 2017, 04:52:51 AM

Is there a way around it, like for example displaying randomly ordered keyboard on screen within such software. Why is that not implemented or am I being naive without being aware of it?

Yes. It's called on-screen keyboard. Most wallet don't implement it and I can see why. If there is a keylogger in your computer, there's an extremely high chance of your computer also having other malware (RAT) and that can do whatever they want with your wallet.

lukaexpl

full member

Activity: 148

Merit: 106

Quote from: ranochigo on August 18, 2017, 07:53:17 AM

Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.

If you want to be safe, you HAVE to install a clean OS offline and load the website in your offline instance. Your cold storage can be considered as compromised once the computer it has is connected to the internet.

If the keyloggers are so prevalent and powerful aren't we at risk of having masterseed or mnemonic stolen everytime we TYPE it in any type of wallet that takes keyboard input.
Is there a way around it, like for example displaying randomly ordered keyboard on screen within such software. Why is that not implemented or am I being naive without being aware of it?

cr1776

legendary

Activity: 4060

Merit: 1303

Quote from: lukaexpl on August 18, 2017, 08:41:14 AM

Quote from: ranochigo on August 18, 2017, 07:53:17 AM

Quote from: lukaexpl on August 18, 2017, 07:38:04 AM

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?

Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.

Thanks. So the keylogger gets my password but if I only write down an encrypted key and than shut bitaddress.org I should be half-way safe because it would have the password but not what it unlocks - namely encrypted private key.

You also should clear the browser cache, quit the browser etc after doing it.

lukaexpl

full member

Activity: 148

Merit: 106

Quote from: ranochigo on August 18, 2017, 07:53:17 AM

Quote from: lukaexpl on August 18, 2017, 07:38:04 AM

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?

Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.

Thanks. So the keylogger gets my password but if I only write down an encrypted key and than shut bitaddress.org I should be half-way safe because it would have the password but not what it unlocks - namely encrypted private key.

cr1776

legendary

Activity: 4060

Merit: 1303

Quote from: lukaexpl on August 17, 2017, 09:32:24 AM

I do! Thanks. I would only put my mind at more ease knowing that recreating something like BIP38 protocol is relatively simple task for the educated.

You can also fork it on github which gives you another online backup of it.

ranochigo

legendary

Activity: 2982

Merit: 4193

Quote from: lukaexpl on August 18, 2017, 07:38:04 AM

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?

Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.

If you want to be safe, you HAVE to install a clean OS offline and load the website in your offline instance. Your cold storage can be considered as compromised once the computer it has is connected to the internet.

lukaexpl

full member

Activity: 148

Merit: 106

Thanks. So for ultimate safety you should take the hard route.

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?

dunand

hero member

Activity: 637

Merit: 502

Quote from: lukaexpl on August 18, 2017, 04:40:38 AM

Quote from: dunand on August 17, 2017, 09:08:05 AM

You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.

When you run the proccess of private key creation using bitaddress.org is it enough to be offline or should you be made to jump through hoops by burning Linux installation, running it on a computer with harddrive plugged out, no internet connection etc.?

If you are 100% sure your computer is safe from spyware...

lukaexpl

full member

Activity: 148

Merit: 106

Quote from: dunand on August 17, 2017, 09:08:05 AM

You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.

When you run the proccess of private key creation using bitaddress.org is it enough to be offline or should you be made to jump through hoops by burning Linux installation, running it on a computer with harddrive plugged out, no internet connection etc.?

lukaexpl

full member

Activity: 148

Merit: 106

I do! Thanks. I would only put my mind at more ease knowing that recreating something like BIP38 protocol is relatively simple task for the educated.

dunand

hero member

Activity: 637

Merit: 502

You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.

lukaexpl

full member

Activity: 148

Merit: 106

Lets say you use this page in an offline mode, print the encrypted keys, stamp it on metal, store it somewhere in a vault etc.
That should provide you reasonable security.

However, that site is the only one I could find doing the decryption of encrypted private keys.
The fear that I have is that if the site is gone would you be able to employ a sufficiently able programmer to create an encryption/decryption program with the information publicly available regarding this encryption protocol?

Thanks

Topic: Is it safe to encrypt your private keys with BIP38 and bitaddress.org? (Read 1175 times)